二代電子狗 - 改機
By Zanna
at 2011-10-24T10:39
at 2011-10-24T10:39
Table of Contents
http://goo.gl/q5jaE
昨晚的新消息
UPDATE #3:
More updates from the last several hours as more people seem to be
getting their hands on the device.
幾個小時前的最新消息,看來有越來越多人拿到了這東西呢!
First off for those interested, the MFW and JB2 dongle updater files
have been leaked on to the web, you can grab the downloads below:
在好奇之餘,有些東西已經流出來了,就是傳說中的電子狗更新檔以及跟狗搭配
的自製韌體,有興趣的人可以自己下載來研究。
[Download Jailbreak 2 CFW/MFW files] http://www.multiupload.com/9YPQX47G7F
[Download Jailbreak 2 Dongle Updater] http://www.multiupload.com/9YPQX47G7F
Second off the Jailbreak 2 is being reversed engineered, for those
interested you can read the full documentation via PS3DevWiki.
再來呢,就是這個二代電子狗的逆向工程已經開工了,有興趣的人可以前往
PS3DevWiki網站。〔譯註:該網站內容相當專業,新手讀起來可能像是天書〕
So I believe its safe to say this device is probably real, and now we
should focus on how it actually works.
因此呢,我認為可以合理認定這東西能夠動作,不是芭樂,接下來我們來看看這
東西是怎麼操作的。
In summary it seems that JB2 is nothing special at all. What they
seem to be doing is using something called a DEBUG EBOOT which is
burned onto a disc, and is playable on the PS3. So all we technically
need is the debug eboot's for each game which can be acquired via
dev network (and people can get this via debug PS3's). So until
Sony takes a stand against these debug eboots, the scene may have
found their access to newer games.
大致上看來,這東西的原理並不令人驚訝。它只是單純讓主機執行 Debug版的主
程式而已,把從開發者網路下載下來的 Debug版主程式蓋過原版光碟裡頭的主程
式,再把光碟內容燒進燒錄片裡頭就結束了。因此,技術上我們需要想執行遊戲
的 Debug版主程式(有些人有管道可以拿到),所以,除非SONY對這些 Debug版
的主程式進行反制,不然社群這邊一路都能夠玩到最新的作品。
Mathieulh 對這東西做出評論了:
<Mathieulh> I kinda figured how it works already
我想我大概瞭了
<Mathieulh> they patched lv1 and lv2
他們 patch了 lv1與 lv2的程式
<Mathieulh> and they have lv2 to check if the self keyset is 0x10 or
higher
他們讓 lv2檢查self檔案的金鑰註記值是否大於0x10
<Mathieulh> if so it's sent to lv1 through a separate hypercall than
hvsc99
如果是的話〔代表遊戲需求版本大於3.56〕,那就把檔案利用一個
新的syscall 而非利用原本的syscall99 進行解密
<Mathieulh> which sends the self or part of it to the usb hw
他們很可能透過電子狗上的硬體電路去實做這個新的 syscall,
<Mathieulh> which performs some crypto
所以主機會把整個self程式或程式的是一部分送去解密
<Mathieulh> and returns a decrypted result to lv1
硬體電路解密完後,把解密的主程式回傳給 lv1
<Mathieulh> at least that's what I got out of a few minutes of
debugging
這就是我花幾分鐘研究跟除錯得到的結果
<Mathieulh> I am pretty sure the keys are on the dongle
我相信解密的金鑰應該是藏在電子狗裡頭沒錯
<Hewman> as in debug eboots?
那 Debug版的主程式?
<Mathieulh> 3.60+ app keys
也有3.60+的app 金鑰。
--
○ ____ _ _ _ _ ____ _ _ ____ _____ ____
。 ★(_ _)( \( )( \/ )( ___)( \( )(_ _)( _ )( _ \
o _)(_ ) ( \ / )__) ) ( )( )(_)( ) / ● ‧
(____)(_)\_) \/ (____)(_)\_) (__) (_____)(_)\_) ★
o
--
昨晚的新消息
UPDATE #3:
More updates from the last several hours as more people seem to be
getting their hands on the device.
幾個小時前的最新消息,看來有越來越多人拿到了這東西呢!
First off for those interested, the MFW and JB2 dongle updater files
have been leaked on to the web, you can grab the downloads below:
在好奇之餘,有些東西已經流出來了,就是傳說中的電子狗更新檔以及跟狗搭配
的自製韌體,有興趣的人可以自己下載來研究。
[Download Jailbreak 2 CFW/MFW files] http://www.multiupload.com/9YPQX47G7F
[Download Jailbreak 2 Dongle Updater] http://www.multiupload.com/9YPQX47G7F
Second off the Jailbreak 2 is being reversed engineered, for those
interested you can read the full documentation via PS3DevWiki.
再來呢,就是這個二代電子狗的逆向工程已經開工了,有興趣的人可以前往
PS3DevWiki網站。〔譯註:該網站內容相當專業,新手讀起來可能像是天書〕
So I believe its safe to say this device is probably real, and now we
should focus on how it actually works.
因此呢,我認為可以合理認定這東西能夠動作,不是芭樂,接下來我們來看看這
東西是怎麼操作的。
In summary it seems that JB2 is nothing special at all. What they
seem to be doing is using something called a DEBUG EBOOT which is
burned onto a disc, and is playable on the PS3. So all we technically
need is the debug eboot's for each game which can be acquired via
dev network (and people can get this via debug PS3's). So until
Sony takes a stand against these debug eboots, the scene may have
found their access to newer games.
大致上看來,這東西的原理並不令人驚訝。它只是單純讓主機執行 Debug版的主
程式而已,把從開發者網路下載下來的 Debug版主程式蓋過原版光碟裡頭的主程
式,再把光碟內容燒進燒錄片裡頭就結束了。因此,技術上我們需要想執行遊戲
的 Debug版主程式(有些人有管道可以拿到),所以,除非SONY對這些 Debug版
的主程式進行反制,不然社群這邊一路都能夠玩到最新的作品。
Mathieulh 對這東西做出評論了:
<Mathieulh> I kinda figured how it works already
我想我大概瞭了
<Mathieulh> they patched lv1 and lv2
他們 patch了 lv1與 lv2的程式
<Mathieulh> and they have lv2 to check if the self keyset is 0x10 or
higher
他們讓 lv2檢查self檔案的金鑰註記值是否大於0x10
<Mathieulh> if so it's sent to lv1 through a separate hypercall than
hvsc99
如果是的話〔代表遊戲需求版本大於3.56〕,那就把檔案利用一個
新的syscall 而非利用原本的syscall99 進行解密
<Mathieulh> which sends the self or part of it to the usb hw
他們很可能透過電子狗上的硬體電路去實做這個新的 syscall,
<Mathieulh> which performs some crypto
所以主機會把整個self程式或程式的是一部分送去解密
<Mathieulh> and returns a decrypted result to lv1
硬體電路解密完後,把解密的主程式回傳給 lv1
<Mathieulh> at least that's what I got out of a few minutes of
debugging
這就是我花幾分鐘研究跟除錯得到的結果
<Mathieulh> I am pretty sure the keys are on the dongle
我相信解密的金鑰應該是藏在電子狗裡頭沒錯
<Hewman> as in debug eboots?
那 Debug版的主程式?
<Mathieulh> 3.60+ app keys
也有3.60+的app 金鑰。
--
○ ____ _ _ _ _ ____ _ _ ____ _____ ____
。 ★(_ _)( \( )( \/ )( ___)( \( )(_ _)( _ )( _ \
o _)(_ ) ( \ / )__) ) ( )( )(_)( ) / ● ‧
(____)(_)\_) \/ (____)(_)\_) (__) (_____)(_)\_) ★
o
--
Tags:
改機
All Comments
By Delia
at 2011-10-27T03:09
at 2011-10-27T03:09
By Sarah
at 2011-10-29T20:50
at 2011-10-29T20:50
By Una
at 2011-11-01T10:44
at 2011-11-01T10:44
By Elvira
at 2011-11-04T18:46
at 2011-11-04T18:46
By Genevieve
at 2011-11-08T05:11
at 2011-11-08T05:11
By Suhail Hany
at 2011-11-12T12:59
at 2011-11-12T12:59
By Gary
at 2011-11-14T15:06
at 2011-11-14T15:06
By Zora
at 2011-11-19T06:05
at 2011-11-19T06:05
Related Posts
imgburn2.5.6.0
By Blanche
at 2011-10-23T00:12
at 2011-10-23T00:12
關於PRO-B9
By Gilbert
at 2011-10-22T22:09
at 2011-10-22T22:09
NP-DRM(較)懶人包跟RSX 驅動程式進度
By Linda
at 2011-10-22T20:45
at 2011-10-22T20:45
二代電子狗
By Harry
at 2011-10-22T20:31
at 2011-10-22T20:31
E3 Flasher Update
By Annie
at 2011-10-22T20:07
at 2011-10-22T20:07